X.509 certificate handling. More...

#include "ike/ike.h"
#include "ike/ike_certificate.h"
#include "ike/ike_payload_parse.h"
#include "encoding/asn1.h"
#include "encoding/oid.h"
#include "pkix/pem_import.h"
#include "pkix/x509_cert_parse.h"
#include "pkix/x509_cert_validate.h"
#include "debug.h"

Go to the source code of this file.

Macros

#define TRACE_LEVEL   IKE_TRACE_LEVEL
 

Functions

error_t ikeGetCertificateType (const X509CertInfo *certInfo, IkeCertType *certType)
Retrieve the certificate type. More...
 
error_t ikeGetCertSubjectDn (const char_t *cert, size_t certLen, uint8_t *subjectDn, size_t *subjectDnLen)
Extract subject's DN from certificate. More...
 
error_t ikeFormatCertAuthorities (const char_t *trustedCaList, size_t trustedCaListLen, uint8_t *certAuth, size_t *certAuthLen)
Format list of acceptable certification authorities. More...
 
bool_t ikeIsDuplicateCa (const uint8_t *certAuth, size_t certAuthLen, const uint8_t *digest)
Test whether the provided SHA-1 digest value is a duplicate. More...
 
error_t ikeParseCertificateChain (IkeSaEntry *sa, IpsecPadEntry *padEntry, const uint8_t *message, size_t length)
Parse certificate chain. More...
 
error_t ikeValidateCertificate (IkeSaEntry *sa, IpsecPadEntry *padEntry, const X509CertInfo *certInfo, uint_t pathLen)
Verify certificate against root CAs. More...
 
error_t ikeCheckKeyUsage (const X509CertInfo *certInfo)
Check certificate key usage. More...
 

Detailed Description

X.509 certificate handling.

License

SPDX-License-Identifier: GPL-2.0-or-later

Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.

This file is part of CycloneIPSEC Open.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Author
Oryx Embedded SARL (www.oryx-embedded.com)
Version
2.4.4

Definition in file ike_certificate.c.

Macro Definition Documentation

◆ TRACE_LEVEL

#define TRACE_LEVEL   IKE_TRACE_LEVEL

Definition at line 32 of file ike_certificate.c.

Function Documentation

◆ ikeCheckKeyUsage()

error_t ikeCheckKeyUsage ( const X509CertInfo certInfo)

Check certificate key usage.

Parameters
[in]certInfoPointer to the X.509 certificate
Returns
Error code

Definition at line 811 of file ike_certificate.c.

◆ ikeFormatCertAuthorities()

error_t ikeFormatCertAuthorities ( const char_t trustedCaList,
size_t  trustedCaListLen,
uint8_t *  certAuth,
size_t *  certAuthLen 
)

Format list of acceptable certification authorities.

Parameters
[in]trustedCaListList of trusted CA (PEM format)
[in]trustedCaListLenTotal length of the list
[out]certAuthList of SHA-1 hashes of the public keys of trusted CAs
[in,out]certAuthLenActual length of the list, in bytes
Returns
Error code

Definition at line 287 of file ike_certificate.c.

◆ ikeGetCertificateType()

error_t ikeGetCertificateType ( const X509CertInfo certInfo,
IkeCertType certType 
)

Retrieve the certificate type.

Parameters
[in]certInfoX.509 certificate
[out]certTypeCertificate type
Returns
Error code

Definition at line 56 of file ike_certificate.c.

◆ ikeGetCertSubjectDn()

error_t ikeGetCertSubjectDn ( const char_t cert,
size_t  certLen,
uint8_t *  subjectDn,
size_t *  subjectDnLen 
)

Extract subject's DN from certificate.

Parameters
[in]certCertificate (PEM format)
[in]certLenLength of the certificate
[out]subjectDnBuffer where to copy the X.500 distinguished name
[out]subjectDnLenLength of the X.500 distinguished name
Returns
Error code

Definition at line 205 of file ike_certificate.c.

◆ ikeIsDuplicateCa()

bool_t ikeIsDuplicateCa ( const uint8_t *  certAuth,
size_t  certAuthLen,
const uint8_t *  digest 
)

Test whether the provided SHA-1 digest value is a duplicate.

Parameters
[in]certAuthList of SHA-1 hashes of the public keys of trusted CAs
[in]certAuthLenLength of the list, in bytes
[in]digestSHA-1 digest to be checked for duplicate value
Returns
TRUE if the SHA-1 digest value is a duplicate, else FALSE

Definition at line 410 of file ike_certificate.c.

◆ ikeParseCertificateChain()

error_t ikeParseCertificateChain ( IkeSaEntry sa,
IpsecPadEntry padEntry,
const uint8_t *  message,
size_t  length 
)

Parse certificate chain.

Parameters
[in]saPointer to the IKE SA
[in]padEntryPointer to the PAD entry
[in]messagePointer to the received IKE message
[in]lengthLength of the IKE message, in bytes
Returns
Error code

Definition at line 445 of file ike_certificate.c.

◆ ikeValidateCertificate()

error_t ikeValidateCertificate ( IkeSaEntry sa,
IpsecPadEntry padEntry,
const X509CertInfo certInfo,
uint_t  pathLen 
)

Verify certificate against root CAs.

Parameters
[in]saPointer to the IKE SA
[in]padEntryPointer to the PAD entry
[in]certInfoX.509 certificate to be verified
[in]pathLenCertificate path length
Returns
Error code

Definition at line 654 of file ike_certificate.c.